From 56df900cb44d18c3ffaf16e09b83aaf37d912cc5 Mon Sep 17 00:00:00 2001
From: Jes Sorensen <Jes.Sorensen@redhat.com>
Date: Tue, 16 Jun 2015 09:13:33 -0400
Subject: [PATCH] staging: unisys: visorchannel_write() fix potential memory
 corruption

This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/unisys/visorbus/visorchannel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
index b1155ab..20b6349 100644
--- a/drivers/staging/unisys/visorbus/visorchannel.c
+++ b/drivers/staging/unisys/visorbus/visorchannel.c
@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
 		return -EIO;
 
 	if (offset < chdr_size) {
-		copy_size = min(chdr_size, nbytes) - offset;
+		copy_size = min(chdr_size - offset, nbytes);
 		memcpy(&channel->chan_hdr + offset, local, copy_size);
 	}
 
-- 
2.7.4